SQS: CDK Deploy by default adding Amazon SQS key(SSE-SQS) encryption

[sats17]

Describe the bug

SQS constructor for CDK v2 by default adding encryption of Amazon SQS key(SSE-SQS) encryption. As mentioned in the description of the encryption variable below. " Whether the contents of the queue are encrypted, and by what type of key. Be aware that encryption is not available in all regions, please see the docs for current availability details. @default Unencrypted " It should not add any encryption in SQS.

Expected Behavior

On SQS AWS Console Encryption should be disabled.

Current Behavior

On SQS AWS Console Encryption is enabled with Amazon SQS key(SSE-SQS). CDK Code = new sqs.Queue(this, 'test-queue', { queueName: "test-queue-name" }); Generated CFT Template = Resources: testqueueA58C838B: Type: AWS::SQS::Queue Properties: QueueName: test-queue-name UpdateReplacePolicy: Delete DeletionPolicy: Delete Metadata: aws:cdk:path: test-stack/test-queue/Resource

CDK Dependencies - "aws-cdk-lib": "2.37.0", "aws-cdk": "2.37.0"

Reproduction Steps

1. Create new SQS in the sample project without adding any properties
2. After creation observe in AWS Console SQS will be created with Encryption as Amazon SQS key(SSE-SQS)

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.37.0

Framework Version

No response

Node.js Version

16.15.0

OS

Windows

Language

Typescript

Language Version

3.9.7

Other information

No response

[sats17]

Even if I explicitly mention it in the constructor it still creating queue with encryption. new sqs.Queue(this, 'test-queue', { queueName: "test-queue", encryption: cdk.aws_sqs.QueueEncryption.UNENCRYPTED });

[kurtismash]

It appears the default when deploying a stack via CloudFormation is to now enable the SqsManagedSseEnabled property but as this property isn't supported by CDK (#17770) we have no way to disable this behaviour.

[TheLargeCactus]

Yeah, this issue is impacting CDKv1 as well.

[TheLargeCactus]

If you have access to the AWS cli, you can do something similar to the following (I use zsh):

for url in $(aws sqs list-queues --output text --query QueueUrls); aws sqs set-queue-attributes --attributes SqsManagedSseEnabled=false --queue-url $url

A smarter query can be used to filter the queues you want to target.

[chrisandrewcl]

Until the new property is added to the queue construct, this can still be worked around within CDK using an escape hatch:

const cfnQueue = queue.node.defaultChild as CfnResource;

cfnQueue.addOverride('Properties.SqsManagedSseEnabled', false)

[miguelcss]

It is my understanding that this PR: https://github.com/aws/aws-cdk/pull/21591 will fix the mentioned behaviour

[jumic]

As mentioned by @kurtismash the default behaviour in CloudFormation has changed. The following snipped creates an encrypted SQS queue.

AWSTemplateFormatVersion: "2010-09-09"
Resources: 
  MyQueue: 
    Type: AWS::SQS::Queue

Result in AWS Console:

The documentation describes the now logic:

To protect the data in a queue’s messages, Amazon SQS has server-side encryption (SSE) enabled by default for all newly created queues.

If I create a new SQS queue manually in the AWS console, SSE-SQS is also selected by default.

PR #21591 doesn't disable encryption if UNENCRYPTED is used. I will submit another PR.

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.